v0.98.0

fix: terratest w/ go updates @oycyc (#337)

Not familiar with how Go works, but following the suggestions to update packages looks to fix the tests in this repository!

The commands I executed per @Nuru 's suggestion on Slack:

cd test/src
go get -u ./... [github.com/gruntwork-io/terratest](http://github.com/gruntwork-io/terratest) [github.com/stretchr/testify](http://github.com/stretchr/testify) [email protected]
go mod tidy

Slack thread here on CloudPosse: https://sweetops.slack.com/archives/G014YEKDH4K/p1748635698940509?thread_ts=1746672149.263629&cid=G014YEKDH4K

🚀 Enhancements

replace TLSv1.2_2019 with TLSv1.2_2021 as default policy @jamerply (#294)

## what

This PR updates the mimimum_protocol_version variable so that it defaults to TLSv1.2_2021 (the current recommended security policy recommended by AWS) instead of TLSv1.2_2019.

why

The most current security policy is no longer TLSv1.2_2019 but is TLSv1.2_2021.

references

See the "Security Policy" heading under the "Distribution Setting" section of the AWS CloudFront Documentation for further information.

v0.97.0

🚀 Enhancements

feat: Add support for custom Lambda@Edge policies @jwadolowski (#333)

## what

Execution role associated with Lambda@Edge comes with a hardcoded policy that enables write access to CloudWatch logs. This PR adds support for additional policies. It was implemented in a similar fashion to additional_bucket_policy from the parent module.

why

It's a fairly common situation that a Lambda@Edge function needs access to other AWS services/resources than CloudWatch logs. aws_lambda_function's role argument expects a single role ARN, therefore the only reasonable option is to append new policy statements to the IAM role created in scope of this module.

references

closes #261

v0.96.2

🚀 Enhancements

Set allowed and cache methods as non nullable @travis-reed (#324)

what

Set allowed_methods and cached_methods as non nullable

Setting nullable to false ensures that the variable value will never be null within the module. If nullable is false and the variable has a default value, then Terraform uses the default when a module input argument is null.

why

I want to be able to sometimes call this module with explicit allowed_methods and cached_methods and sometimes just use the module defaults.

As it stands, I cannot do that without making my default value match your default value. It would be better for the module to use its defaults when I pass in null

Right now I am hitting

Error: Missing required argument

  with module.fanx.module.sdp_assets.module.static_cdn.aws_cloudfront_distribution.default[0],
  on /tmp/terraform-data-dir/modules/fanx.sdp_assets.static_cdn/main.tf line 522, in resource "aws_cloudfront_distribution" "default":
 522:     allowed_methods            = var.allowed_methods

The argument "default_cache_behavior.0.allowed_methods" is required, but no
definition was found.

Which I can work around by setting a default on my side, but it isn't ideal behavior

references

• https://developer.hashicorp.com/terraform/language/values/variables#disallowing-null-input-values
• https://stackoverflow.com/questions/72213875/transformer-how-to-call-a-module-with-variables-as-default-value

Additional Notes

I wouldn't consider this a breaking change. Today, the behavior if you pass in null as the argument to the module you will get a failure as shown above. This makes passing in null possible without negatively impacting existing users.

Make sure tags are associated with Lambda functions(#332)

why

tags argument is not set at all which results in an empty tag list.

references

https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/v0.96.1/modules/lambda%40edge/main.tf#L78-L86

v0.96.1

🚀 Enhancements

memory and timeout vars for lambda@edge @mihaiplesa (#330)

## what

Allow to configure memory size and timeout for Lambda@Edge module.

why

These fields are not configurable now.

references

Resolves #331

v0.96.0

Adding origin_access_control_id to custom_origins @jjchiw (#326)

Adding Origin Access Control Id to Custom Origins

what

Custom Origins didn't have Origin Access Control

Implements this infrastructure

https://aws.amazon.com/blogs/networking-and-content-delivery/image-optimization-using-amazon-cloudfront-and-aws-lambda/

why

Custom Origins didn't have Origin Access Control if we wanted to invoke a lambda we were not able to do it

references

Summary by CodeRabbit

• New Features

  • Enhanced configuration options for custom origins in CloudFront with the addition of origin_access_control_id.
  • Updated variable definitions for custom_origins and s3_origins to include access control ID.

• Bug Fixes

  • Deprecated certain variables to streamline configuration and encourage best practices.

• Documentation

  • Updated documentation to reflect changes in variable structures and configurations.

v0.95.1

Add support for origin-access-control @rankin-tr (#319)

## what

• add Origin Access Control feature
  • add var.origin_access_type to enable Origin Access Identity or Origina Access Control policy
  • add aws_cloudfront_origin_access_control.default resource
  • add origin_access_control_id argument to origin config on aws_cloudfront_distribution.default
• update example code
• update README

why

• provide the ability to make use of an Origin Access Control
  • retain default origin access identity behavior
• AWS recommends using origin access control
• Origin Access Identities are flagged in AWS Security Hub

references

• Closes #244
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

🤖 Automatic Updates

Migrate new test account @osterman (#322)

## what - Update `.github/settings.yml` - Update `.github/chatops.yml` files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

Update .github/settings.yml @osterman (#321)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @osterman (#320)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @osterman (#312)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

v0.95.0

What's Changed

• Update README.md by @keithrozario in #308
• fix: private policies cannot use wildcard principal by @dudymas in #311

New Contributors

• @keithrozario made their first contribution in #308
• @dudymas made their first contribution in #311

Full Changelog: 0.94.0...0.95.0

v0.94.0

Add support for realtime log config to ordered_cache @mschfh (#295)

what

This PR adds realtime log config support for additional cache behaviours (Similar to #162 which added default cache behaviour)

references

#162 - Added realtime_log_config_arn for default cache behaviour

v0.93.1

BucketOwnerEnforced s3 buckets can't have an acl @mfuhrmeisterDM (#301)

what

disable creating acl resource in that case.

why

BucketOwnerEnforeced s3 bucket can't have an acl.

references

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

🤖 Automatic Updates

Add GitHub Settings @osterman (#302)

what

• Install a repository config (.github/settings.yaml)

why

• Programmatically manage GitHub repo settings

Update README.md and docs @cloudpossebot (#297)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update Scaffolding @osterman (#298)

what

• Reran make readme to rebuild README.md from README.yaml
• Migrate to square badges
• Add scaffolding for repo settings and Mergify

why

• Upstream template changed in the .github repo
• Work better with repository rulesets
• Modernize look & feel

v0.93.0

Fixed deprecated aws_s3_bucket attributes @andruccho (#293)

The following options were deprecated, and have either been updated, or replaced with the new necessary resources:

• server_side_encryption_configuration replaced with aws_s3_bucket_server_side_encryption_configuration resource
• versioning replaced with aws_s3_bucket_versioning resource
• cors_rule replaced with aws_s3_bucket_cors_configuration resource
• acl replaced with aws_s3_bucket_acl resource
• bucket_versioning input added

Pull request is almost the same with #266, exclude override_json replaced with override_policy_documents option, because for me it breaks logs submodule behavior.
I'm getting no deprecation warnings without this change (my aws provider version is 5.30.0).